Playbook 07 Compliance Audit

Playbook 07: Compliance & Audit Guide

Security | 30 min read | 6,000 words

SOC 2, GDPR, HIPAA, PCI DSS implementation. Audit logging with immutable signatures, RBAC, data privacy (PII redaction), and regulatory compliance.

Key Topics

• Regulatory frameworks: SOC 2 Type II, GDPR, HIPAA, PCI DSS, ISO 27001 mapped to Claude Code
• Audit logging: comprehensive event types, HMAC-SHA256 signed logs, tamper detection
• Data privacy: GDPR data minimization, automatic PII redaction, retention policies
• GDPR data subject rights: access (Art. 15), erasure (Art. 17), portability (Art. 20)
• Access controls: role-based access control (RBAC) with Admin, Developer, Auditor, User roles
• SOC 2 Common Criteria: CC6 access controls, evidence collection, suspicious activity detection

Summary

Ensuring Claude Code plugin workflows meet regulatory requirements is critical for enterprise deployments. The playbook maps five major frameworks to specific Claude Code impact areas: SOC 2 Type II requires audit logs, access controls, and encryption; GDPR demands consent, data minimization, and right to erasure; HIPAA mandates encryption, access logs, and that PHI never touches cloud APIs; PCI DSS requires tokenization and secure storage; and ISO 27001 requires risk management and incident response. A risk assessment interface tracks compliance status per requirement with severity and remediation deadlines.

The audit logging system captures four categories of events: authentication (login, logout, API key creation/revocation), data access (conversation read/create/delete, data export), configuration changes (plugin install/uninstall, settings changes), and security events (failed authentication, denied authorization, key rotation, suspicious activity). Every log entry receives an HMAC-SHA256 signature computed from the event's core fields, enabling tamper detection via verification. Storage options span append-only WORM files, PostgreSQL with audit triggers, and SIEM integration.

Data privacy implementation includes automatic PII redaction using regex patterns for email addresses, phone numbers, SSNs, and credit card numbers -- applied before any conversation data is stored. Data retention policies enforce 90-day conversation retention, 7-year audit log retention (SOC 2 requirement), 1-year analytics retention, and 30-day backup retention. The GDPR erasure handler deletes all user conversations, analytics, and preferences while anonymizing (not deleting) audit logs, since legal requirements prevent their removal.

RBAC implements four roles with distinct permission sets. Admin gets all permissions including user management and audit log access. Developer gets conversation read/write and plugin installation. Auditor gets read-only access to audit logs and conversations. User gets only conversation read and write. Permission checks are enforced before every action, with denied attempts logged as security events.

SOC 2 Type II implementation covers Common Criteria CC6 for access controls: access granted based on job function (CC6.1), removed when no longer needed (CC6.2), and suspicious activity detected and responded to (CC6.7). The suspicious activity detector locks accounts after 5 failed logins within an hour and alerts the security team on logins from 3+ IP addresses. Automated evidence collection scripts gather access logs, Git history, backup verification, SSL certificates, and vulnerability scan results for audit preparation. HIPAA compliance is enforced by routing all healthcare data through self-hosted Ollama -- PHI must never be sent to cloud APIs.

Related Playbooks

• Self-Hosted Stack Setup
• MCP Server Reliability

---

Read full playbook on tonsofskills.com ->